1. Field of the Invention
The present invention relates to an apparatus having an input operation section and a control section, and more specifically, it relates to such an apparatus having high security which is used as a terminal or the like through which an input operation is performed, for example in a banking terminal, a variety of kinds of ticket vending machines, etc.
2. Description of the Related Art
In banking terminals, various kinds of ticket vending machines, etc., there is used an apparatus in which a button or a pointer displayed on a screen such as a touch panel is operated by a user or operator who actually touches the screen, and in some cases, operator's personal secret information such as a personal identification number, a credit card identification number, etc., is input through the apparatus. In addition, such an apparatus includes an input operation section and a device control section which are not usually integrated with each other, but connected with each other through a cable or the like.
FIG. 9 is a block diagram illustrating a part of such an apparatus or a part of a known system including such an apparatus whose security has been considered to be assured. This figure shows a system comprising an apparatus 1 and an external device or equipment 5 which is connected with the apparatus 1 through a dedicated line or a common carrier leased line 7, the apparatus 1 including an input operation section 2, a device control section 3 and another internal device 6, and a shaded part in this figure indicates the portion whose security has been considered to be assured. Thus, the transmission of data from the input operation section 2 to the control section 3 as well as the transmission of data from the control section 3 to the internal device 6 is performed in plain texts. Also, data transmission between the control section 3 and the external equipment 5 is performed through the common carrier leased line 7 in plain text data.
However, in recent years, tapping equipment is also improving its performance, and there are cases in which malicious person might disguise as a maintenance worker or attendant for the apparatus 1 to do unauthorized or illegal conducts, so it could not be necessarily said that the above system keeps satisfactory security. Accordingly, there is an increasing danger that identity or personal information such as personal identification number or the like input from the touch panel, etc., of the apparatus 1 might be leaked. Therefore, to deal with such tapping and illegal conducts, it becomes necessary to improve the security in the apparatus. At present, banking terminals, various kinds of ticket vending machines and the like are set up or installed in various places, but there are many installation locations unattended for these terminals and machines. Moreover, there is a tendency that the operating time of such terminals and machines is extended to 24 hours or from morning to midnight, so high security is required so as to prevent the leakage of the identity or personal secret information from the apparatus.
As a technique for keeping the security of the apparatus, it have been proposed certain methods of preventing the above-mentioned secret information from being leaked by someone looking into the screen (furtive glance) or by an operation analysis as disclosed in Japanese Patent Application Laid-Open Nos. 9-54862 and 2000-20468, but in these methods, the position of operation on the screen and the keyboard layout are changed upon each operation, and hence the operator's accustomedness and convenience might be obstructed.
Moreover, as a simple method for ensuring security, it is considered to adopt, upon inputting by means of the touch panel or the like of the apparatus 1, a method of encrypting and transmitting the data of coordinates pressed by the touch panel without any other processing thereof as shown in FIG. 10. In this method, the coordinate data such as, for instance, (2, 7), input by the input operation section 2 is encrypted into “eeff” by a cipher module 4 of the input operation section 2, and the encrypted coordinate data “eeff” is then transmitted to the control section 3 (step S1). It is necessary for the control section 3, which has received the data thus transmitted, to decrypt the encrypted coordinate data so as to convert it into numerical or character data or instruction directive data according to a screen configuration. In this example, the received data is converted into a numeric character “4” in this case. Here, it is determined whether the numeric character “4” is the data which should be encrypted for transmission to the external equipment 5, and if it is determined to be the data needed to be encrypted, the numeric character “4” is encrypted into an encrypted message “0dff”, which is then transmitted to the external equipment 5 (step S2). On the other hand, when it is determined that the numeric character “4” is the data which should not be encrypted, ordinary processing is carried out on the numeric character “4”, that is, the numeric character “4” is processed in the control section 3 as it is, or the raw data which is not encrypted is transmitted to the external equipment 5 as it is (step S3).
However, in this method, the control section 3 analyzes the data, and hence it is essential to ensure security of the control section 3 and provide a tapping prevention mechanism (unauthorized conduct prevention device). In addition, since the control section 3 performs encryption and decryption, it is required that the control section 3 is provided with an encryption/decryption module (cipher module 4) separately from or in addition to the input operation section 2. Moreover, since ordinary control data which need not be encrypted is also subjected to encryption and sent out from the input operation section 2, there is a problem that the amount of processing is increased by processing of decryption, accordingly increasing the load on the apparatus 1.